feat: secure ldap rootpw

TOSIT-IO · Sep 16, 2024 · 89449b1 · 89449b1
1 parent 0327a9d
commit 89449b1
Show file tree

Hide file tree

Showing 3 changed files with 14 additions and 1 deletion.
diff --git a/roles/ldap_kerberos/tasks/install_openldap_server.yml b/roles/ldap_kerberos/tasks/install_openldap_server.yml
@@ -51,6 +51,15 @@
     mode: "0644"
   notify: restart slapd
 
+- name: Configure slapd_password.conf
+  template:
+    src: slapd_password.conf.j2
+    dest: /etc/openldap/slapd_password.conf
+    owner: ldap
+    group: ldap
+    mode: "0600"
+  notify: restart slapd
+
 - name: Configure /etc/sysconfig/slapd
   template:
     src: sysconfig-slapd.j2

diff --git a/roles/ldap_kerberos/templates/slapd.conf.j2 b/roles/ldap_kerberos/templates/slapd.conf.j2
@@ -17,7 +17,8 @@ access to *
 database bdb
 suffix "{{ ldap_suffix }}"
 rootdn "{{ ldap_rootdn }}"
-rootpw {{ ldap_rootpw }}
+# rootpw
+include /etc/openldap/slapd_password.conf
 directory {{ ldapdb_dir }}
 sizelimit unlimited
 index objectClass,uid,mail,cn eq,pres

diff --git a/roles/ldap_kerberos/templates/slapd_password.conf.j2 b/roles/ldap_kerberos/templates/slapd_password.conf.j2
@@ -0,0 +1,3 @@
+# {{ ansible_managed }}
+
+rootpw {{ ldap_rootpw }}
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,3 @@
		# {{ ansible_managed }}

		rootpw {{ ldap_rootpw }}